Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Possible Malware Eating RAM

hv2

Posted 01 June 2015 - 11:12 AM

hv2

New Member

Member

1 posts

Hello. I believe this issue started about a week ago, not sure how. Upon opening IE, there is a process named iexplore.exe *32 running with what seem like unusual command lines, an example being: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3304 CREDAT:1512759 /prefetch:2". The permissions were linked to an "Account Unknown (S-1-15-2-1)", but I managed to remove that. This process imitates the regular iexplore.exe process whenever I open IE. For each tab open, an imitation process opens. They consume very high RAM, up to 8 times the regular iexplore.exe. It randomly causes the RAM to skyrocket.

I've tried Malwarebytes Anti-Malware software-it removed 26 potentially harmful files from folders and the registry. I tried Microsoft Security Essentials-nothing. I tried Norton Antivirus-nothing. I tried HitmanPro-I believe it found nothing. I tried RKill-nothing. I tried TDSSKiller-nothing. Microsoft said it sounds like Malware, and advised me to disable all and add-ons, then turn on one by one to try and detect the problem, but to no avail. Now it seems like IE suddenly has errors sometimes. Any other programs I should try? Programs to delete? Perhaps the RAM is just too low (2GB,1.61GB usable) and should be upgraded? Please, I'd appreciate some help with this issue if possible, thanks.

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

Error: (06/01/2015 08:38:00 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Explorer.EXE version 6.1.7601.17567 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Error: (05/30/2015 02:26:19 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Modules Installer service failed to start due to the following error:
%%1069

Error: (05/30/2015 02:26:19 PM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: The TrustedInstaller service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error:
%%50

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (05/30/2015 02:24:47 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:
%%1056

Error: (05/30/2015 02:24:21 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (05/30/2015 02:24:19 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Modules Installer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

Advertisements

Sugartooth

Posted 02 June 2015 - 04:32 PM

Sugartooth

Member

Member

814 posts

Hello hv2 and Welcome to Geeks to Go!

My name is Sugartooth and I will be helping you with your malware removal. I am currently in training so my posts will need to be reviewed by my instructor. On the positive side, you get to have two people working towards a resolution of your computer problems instead of just one.

A few important points to go over before we begin:

I highly recommend backing up any critical personal files on your machine to a safe place (not on this computer) before we start as it is impossible for me to know what interactions may happen between your computer's software and the tools we will use to clean your machine.

Please do not install any new software during the cleaning process other than the tools I provide for you. Running other programs can interfere with the tools we use and hinder the cleaning process by producing unpredicted results.

Please make sure that all the programs I ask you to download are downloaded to, and run from, your Desktop.

This is a complicated process. It will require several steps, patience, and careful following of my instructions in the order they are given to diagnose your problems to get your machine back in working order. Just because you no longer see any symptoms, doesn't mean all the malware has been removed. I will need for you to stay with me until I tell you that your computer is clean.

Since I am not physically able to view your computer, I will need for you to describe as fully as possible what symptoms you are experiencing and any changes between fixes.

If at any time you do not understand my instructions, or something unexpected happens, DO NOT CONTINUE.STOP AND ASK. I will get back to you as soon as I can. If you do not hear from me in 48 hours, send me a PM (Private Message).

Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.

I recommend printing out these instructions so that you will be able to refer to them while working on your machine or save it to Notepad and place it on your Desktop. Part of the solution to your problem may involve us working in Safe Mode and you will need them to go by.

To access Notepad, click on the Start Menu>All Programs>Accessories>Notepad.

Please make sure you reply within 4 days to my responses. If there is no reply within 4 days, this topic will be closed and you will need to request that this topic be reopened. To do so, please contact me or any Moderator with the address of this thread by PM (Private Message).

I'm currently in the process of reviewing your logs. Please be patient. I'll get back to you as soon as I can.